[Oisf-users] limit alerting to outbound vs inbound?
Eric Howard
ehoward at bbg.gov
Mon Oct 31 13:49:04 UTC 2011
Why not just change the rule(s) to be bi-directional and then apply the
threshold.conf suppression?
-- Eric --
On 10/31/2011 09:41 AM, Dewhirst, Rob wrote:
> No but that would suppress the events incoming but not reverse the
> detection logic. The rules are written to only detect incoming
> connections.
>
> On Mon, Oct 31, 2011 at 8:19 AM, Eric Howard <ehoward at bbg.gov> wrote:
>> Have you looked at configuring your threshhold.conf file to suppress
>> events based on teh direction of the flow?
>>
>> -- eric --
>>
>> On 10/28/2011 03:42 PM, Dewhirst, Rob wrote:
>>> Is there a way I can have suricata NOT alert when certain rules
>>> (especially the DROP, COMPROMISED sets) are tripped for inbound
>>> connections? For some of my public systems I don't care if known bad
>>> hosts are contacting them, but I most certainly want to know if they
>>> make connections *out* to those systems.
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list